Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   How to make sure this is really the Entry Point (https://forum.exetools.com/showthread.php?t=2041)

merursinecury 03-31-2003 04:53
How to make sure this is really the Entry Point
 
Howdy,

how do make sure that the Entry point reported by PE-Explorer
and ProcDump, and also the one that SofICe Loader stops at is the real Entry Point for an EXE ..???

Tnx

Squidge 03-31-2003 05:29
You mean OEip? If so, disassemble at that address and see if it looks right. If the EXE looks very Microsoft written, then it's probably VisualC++ and so you can see if the entry point resembles the compilers startup code. The same for borland/etc.

merursinecury 03-31-2003 09:01
Sorry for my bad english
 
No i don't mean the Original Entry Point
What i really mean is :
if goto the offset reported by procdump and PE-Explorer as Entry point, and changed it to 'CC' i.e. 'Int 3' .
is there *ANY* chance of that code not being the FIRST thing that is run..???
meaning could the PE Header report an entry point but the EXE starts from another one..???

Squidge 03-31-2003 20:26
No. What ever is reported as the entry point is guaranteed to be executed first. The only time this will be different is that if the flags for the section containing the entry point does not have the execute bit set, so it may cause an exception instead.

Manko 04-02-2003 03:26
Hmm... I'm really not sure about these things, but, the "initialization routines" in linked dlls could be run before EiP. And could contain code to trick you in ways... ?

Am I just talking completenonsense? I actualyy don't know squat about it, but I guess I read something somewhere or other... ?

/Manko

lokki 04-02-2003 21:13
ghm. just place CC there, and when debugger stops- take a look at the stack - if there is a kernel32 or ntdll addresses then it is seems to be entrypoint. you also can refer to the PE file format. Moreover i've heard that in dll for example exists "Static objects" that creaed before execution reaches entrypoint, so you can try to dig this way.

Vox Humana 04-08-2003 06:22
Manko is right. In Win32, when a process is created, the loader calls, if existing, the DLLEntryPoint function of each DLL. This happens when the process is initialized, when it exits (not if the process is terminated), when a thread is created, and when LoadLibrary and FreeLibrary are called. This method is used, for example, inside COMPEDIT.DLL in Multisim 2001 in order to terminate the process if a pirated serial number is stored in the Registry

But, anyway, the "process" entry point is the main EXE entry point; the DLLEntryPoint function cannot call the main EXE code before the process starts (i.e. when the loader puts the entry point VA inside the EIP register)

Regards

amitophia 04-13-2003 08:20
IMHO, DllMain can write to main-exe memory, so it can destroy CC at the EP. Correct me if I mistaked.


All times are GMT +8. The time now is 14:38.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX